As someone with anxiety, I’m looking for the bank that is the most secure, and has the least amount of ‘holes’ for a fraudster to get through.
I know that, as a legitimate user, the only way to log in is to use a ‘magic link’, and so if my email is secure (it is - it’s locked with a physical USB key), then nobody will be able to log in.
Beyond that though, let’s say a fraudster wants ‘in’ to my account - they get in touch with help@monzo.com or they call up. What hoops are in place that they would have to jump through? If they had stolen my ID, could they use that, or would a new selfie video be needed too? What if they didn’t have access to my email address (and just said they were me but couldn’t access it for whatever reason)?
To turn the question on its head, if I legitimately couldn’t access my email account, lost my ID, and couldn’t remember my PIN, how would I get access to my account again?
That’s the reason for the selfie-video. If all else fails, Monzo can look at the historical selfie and a recent selfie to deduce if you are ‘you’. In my opinion, this is as secure as it gets.
A little further detail here;
People who have had to do this in the past have said they’ve needed to record a new video selfie holding ID, so that Monzo can verify they are who they say they are before changing anything.
I’ve actually wondered recently whether this is true anymore… given the rise of deepfakes, how useful is this video? I think that if somebody really wants to get in that badly, they’ll do it. True security is becoming very difficult to achieve and the processes of access are now very vulnerable areas.
So what are the chances of someone “human-engineering” someone at Monzo into changing the postal address and sending out a new card, for example, by spinning some yarn about recently moving and losing everything in the move?
I’ve read quite a few instances with the legacy banks where people have just walked into a branch, given enough (publicly accessible) information to “prove” (ahem) their identity, and seize control of an account.
Should be near-zero, because all roads seem to lead to “Can you do a new selfie video, please”. Even if you’ve lost everything but your phone you can still do a video.
It’s not just the selfie-video though. The SV is an extra layer. If I run through what I need to do, as ‘not me’ to get access to my Monzo account if my device is set correctly for max security;
[1] Find or pick-up my phone - possible, if I’ve lost it or someone has lifted it
[2] Unlock it with my fingerprint - very doubtful
[3] Navigate to the Monzo app and open it - possible but only if they have my fingerprint - they may see notifications on my lock screen which is… erm… locked
[4] View my Monzo accounts/pots - nice viewing… but not without fingerprint
[5] Attempt to transfer money from my Personal/Joint account(s) - fingerprint needed for any transfers - at this stage, no chance.
In other words - no biometric match - no access.
So then;
The finder/thief contacts Monzo on the OFF-CHANCE I am actually a Monzo customer (see [3] above) and asks for access. Monzo then asks for verification, which includes submitting a selfie-video if the finder/thief can’t supply the CVV from the physical card - and boom - the finder/thief looks nothing like me.
And in the meantime, I’ve realised my device is missing, logged onto web.monzo.com and frozen my card.
No online system is foolproof, but for the opportunist trying to get access, it is almost impossible.
A gun to your head while you are sat bound in a chair is more likely to yield results for a thief.
I can answer this one because it’s happened to me (well partially anyway). I was trying to fix a bug by reinstalling the app but I couldn’t log back in. Monzo’s mail servers were having issues communicating with my personal mail server so I wasn’t recieving the magic link.
I contacted Monzo on Twitter and the solution we settled on was changing my account email to my other more standardly used email provider. They asked me to email the help@ address with my old email address included (I assumed this meant on CC but I’m not sure) and a selfie of me holding up my ID.
Everything was then switched over for me and I could log in again.
If this were to happen again today then I’d also be required to enter my card pin after logging in for the first time.
If you wanted the most secure bank then the answer would simply be that you couldn’t.
Either you want ultimate security or you actually want reasonably risk based security? But I feel like your concern comes from a lack of information or mis information from media.
All banks have to meet a minimum set of standards, no banks really goes over these standards by much as it’s not required and costs money.
If you really want ultimate security over your money, put it in a bank vault, and only take out what you need for the day.
